Hacker News new | past | comments | ask | show | jobs | submit login
[flagged] Is Cloudflare Safe Yet (iscloudflaresafeyet.com)
64 points by rammy1234 44 days ago | hide | past | web | favorite | 48 comments



> Deploying RPKI is not as easy as flipping a switch as some sites would like to imply, it requires very careful planning, which can take months or years (in case equipment needs to be replaced and upgraded).

So? The assertion is "they're not secure", not "it's easy to become secure".

> While this is generally necessary to leverage the use of features like static file caching, it also means Cloudflare gets to see the billing details and possibly payment information of customers shopping on a Cloudflare protected e-shop.

I tend to trust Cloudflare with this info more than I trust the website itself and their 83 different unpatched WordPress plugins.


I think the more important point, which I agree with, is that Cloudflare shouldn't be using this scare tactic, especially in the middle of a pandemic.


Could you explain why security matters less during a pandemic?


You don't break critical infrastructure when it's needed the most, when what we have today is working "well enough" until a window of time presents itself when improvements can be made.

You manage risk through balancing security and business requirements. You mitigate the risk you can, you accept the risk you can't (or choose to defer).

Disclaimer: I work in risk. I have these conversations daily. When Cloudflare first published their RPKI marketing site, I thought it was an important issue until doing further research, and have since walked back my personal opinion (which was admittedly overzealous about RPKI initially) on the severity of the issue and the the timeline necessary for action to be taken.


They've been deferring for a long time.

The RKPI RFC is from 2012. Cloudflare's been publishing blog articles like "RPKI - The required cryptographic upgrade to BGP routing" (https://blog.cloudflare.com/rpki/) for years now.


And? If a central authority (or statute) doesn't dictate implementation, connectivity providers have the ability to defer forever. Customers have accepted the risk and deemed it acceptable if their provider does not support RPKI. It's their dollars to spend on connectivity, not ours.


> Customers have accepted the risk and deemed it acceptable if their provider does not support RPKI.

That's a silly assertion. What percentage of residential ISP customers do you think are aware at all of RPKI?

Cloudflare's "is BGP safe" page is intended to highlight the ISPs that are deferring RPKI. If you claim customers are making an educated decision on whether RPKI is necessary, you shouldn't have an objection to the site's existence.


It's a silly assertion to think most ISP customers would care about RPKI, even if made aware. Gmail works? Netflix works? Facebook works? Zoom works? Carry on. Prove me wrong! I would love to be wrong. People don't even care about PATRIOT act renewals, it is highly unlikely they're concerned about the implementation of cryptographic primitives for authenticating routing updates.

"Did you know China could poison routing tables and see all your data?" "I don't do anything I care about them seeing." This is from a real conversation with your average non-tech individual. It is not a technology issue (today, you could use VPNs [WARP] and cryptography to create a mesh from end users to Cloudflare to server side endpoints and fail closed when BGP routing gets hijacked temporarily anywhere in the mesh), it is a privacy advocacy issue. Encouraging people to care is the hard part.


That's moving the goalposts.

It may be that customers don't care when made aware - Cloudflare seems to think at least a few will, but I tend to agree many won't. "Customers have accepted the risk" was simply a laughable assertion.


Customers use their connectivity, today, as is, with the knowledge they have (and BGP has not changed in decades). That is accepting the risk (although I could see how my tangent about user education diverged from the core of our argument, mea culpa).

If Cloudflare wants to go through the marketing exercise and isn't putting unnecessary workload on other providers, I take no issue.


This is going into the "America vs Europe ISPs" argument again. Americans almost always have only one ISP available to them for where they live, so they can't reasonably leave their ISP just because they don't do RPKI correctly since it would leave them without any internet, or they would have to go to satellite internet with slow speeds.


Do you have a solution other than Cloudflare attempting to use their position as a large autonomous system to coerce implementation? If not, you might expect other providers to push back against such efforts.


And it's not just "business requirements". Many people are now forced to work from home, and they need working internet to do so. Their paycheque and ability to buy food and shelter may now depend on it.


toomuchtodo's response covers the relative importance of security. My concern is more about taste in marketing.


What is your worry about pointing out BGP's flaws, that folks will start panic-deploying another routing algorithm like they hoarded toilet paper?


As the site itself points out, they could needlessly increase the load on their ISP's tech support.


That would be awful! \s


you are deeply wrong


>more than I trust the website itself and their 83 different unpatched WordPress plugins.

While cloudflare may be protecting the WordPress instance from some attacks, your traffic is still flowing back to the host eventually. It's not like Cloudflare is keeping some of the data from the website. Whereas PayPal, Apple Pay et all actually do keep some of your information from the final party by assigning one time use payment info vs handing over a credit card number.


    I tend to trust Cloudflare with this info
    more than I trust the website itself
That does not change the point of the website. Your browser tells you that the traffic to somewebsite.com is encrypted. While in reality the traffic to cloudflare is encrypted. somewebsite.com can see your data anyhow. But now on top of that, cloudflare can. And if the traffic between cloudflare and somewebsite.com is not encrypted, there might be additional parties seeing your data.


That flexible ssl option is a huge problem. Some years back, https:// secured sited started showing injected ads and messages from an Indian ISP providing service to cloudflare there: https://medium.com/@karthikb351/airtel-is-sniffing-and-censo...


This is cute but utterly unconvincing.

I guess someone at one of the "insecure" companies listed at https://isbgpsafeyet.com/ got a little sore?


Is it not plausible that this is just a concerned person speaking out? Why go straight for the most cynical take?


Well, it’s clearly in response to isbgpsafeyet.com, since iscloudflaresafeyet.com was registered 2 days after the former was launched by CloudFlare https://blog.cloudflare.com/is-bgp-safe-yet-rpki-routing-sec...


I mean they literally ripped off the header design of the original Cloudflare-run BGP site. That alone makes it clear they're responding that original post, and not out of some random desire to inform people of CloudFlare's design issues.


The fact that they're using smart campaign tactics doesn't imply that they're a competitor firing back rather than a concerned person taking advantage of the opportunity to draw attention to the things that concern them.


is it you

are you “they”


No. I was just responding to what I think is an excess of cynicism toward an unknown individual.


Oh please, the "is cloudflare safe" site is peak cynicism. Not sure how you can look past that point and then call everyone else a cynic.


> utterly unconvincing

Why?


They provide no source for the "DDOS for Hire" claim.

Sure, Cloudflare can decrypt SSL traffic and send it to the origin server unencrypted, but that can be (and is) done without Cloudflare involved at all, and you aren't any safer that way.

The VPN claim is just basic facts about how a VPN works, but they're wrong in saying it won't protect you. It will, if your local network or ISP is untrustworthy.

And then it just ends with them complaining about the BGP vulns they were called out on.


news article about it (with statement from Cloudflare, TL;DR "yes we get paid by such services but we don't want to be in the business of deciding if they are bad or not"): https://www.secureworldexpo.com/industry-news/does-cloudflar...

> Sure, Cloudflare can decrypt SSL traffic and send it to the origin server unencrypted, but that can be (and is) done without Cloudflare involved at all, and you aren't any safer that way.

So because you could run an unsafe configuration without Cloudflare, it's ok for Cloudflare to offer it?

I think criticism of Cloudflare is often overblown, but it's not like they are perfect. Run agressive marketing, expect to get called out for your failings.

EDIT: apparently their own route validation also isn't that strict? https://twitter.com/Benjojo12/status/1251538757595148291


"By using a VPN application like WARP, all you are doing is shifting who is able to read your traffic to someone else."

Isn't that the case with all VPNs? One of the most commonly VPN use cases is to create an encrypted tunnel between your connection and another server (VPN) so that it looks like your traffic is originating from that server.

Which VPN(s) doesn't allow another server to read your traffic? I thought a VPN connection has to have a VPN server which does this?


That is the case with all VPNs, but that is not commonly understood by people without technical expertise who have heard that a VPN will increase their security.


The natural reading of the URL is that the author will expose some surprising way that being a customer of Cloudflare is unsafe.

Instead, there's a mixture of the well-known (but valid!) MITM concerns and a hodgepodge of other crap. It would be better titled "my complaints about Cloudflare" but that's not good enough clickbait.

This deserves to be flagged.


How is the "Man in the Middle" concern different from any other CDN, like Akamai? At this point, I assume any major web presence is fronted by a CDN.


It seems to be based on a site by cloudflare: https://isbgpsafeyet.com/


I trust cloudflare more than my ISP. And regarding dns I trust next dns over 1.1.1.1. And I trust 1.1.1.1 more than 8.8.8.8 which is ran by ads company. I would like to thanks cloudflare for their service.


I'm a bit surprised to not see criticism of their SSL options. For a security company, Cloudflare makes it incredibly easy to set up insecure configurations to your origin. There are four SSL options to choose from, but only one is actually secure and it usually defaults to one of the insecure options.


This website is wrong in so many ways. Cloudflare isn't perfect and too much centralization is an issue but the arguments in this are wrong and emotional.

"Cloudflare is shielding cybercriminals" So? Criminals use many good services, it doesn't make the service bad.

"Scaring internet users into thinking their ISPs are insecure in the middle of a global pandemic" ISPs ARE insecure because of this. The global pandemic has nothing to do with this. Do we get mad at CVEs all of sudden during a pandemic?

"Falsely advertising their VPN application" It can be safer depending on the situation. If you need model closer to zero-trust (still not zero-trust though) use Tor.


To add:

> Cloudflare is shielding cybercriminals

Cloudflare has an abuse form https://cloudflare.com/abuse - CF also doesn't prohibit you from filing police reports with your local law enforcement, which CF will cooperate with upon receiving contact.

> Scaring internet users into thinking their ISPs are insecure in the middle of a global pandemic

https://hn.algolia.com/?q=bgp


I guess no one read all the way to the copyright

> While this site is a parody, it may contain factual information. :) The author has no affiliation with Cloudflare, Inc.


This is just so they don’t get sued into oblivion.


funnily enough, apparently Cloudflare did also accept invalid routes, at least from the client-side? https://twitter.com/Benjojo12/status/1251538757595148291 (entire thread is IMHO a good take on this)


this is ridiculous and misleading

no CloudFlare is not decrypting traffic

my lord as if a VPN tunnel is such a bad thing


Why flagged?


That’s a lot of words for

“I’m unable to secure BGP at my shit ISP and now I blame cloudflare for my ineptitude and bad press”


people who have strongly negative opinions about cloudflare are so confusing to me. literally everything they do has been done by akamai for a decade, and if you combined akamai and cloudflare and fastly and the next five biggest CDNs combined you still wouldn't even come close to touching the scope of what Amazon, FB, Google, Apple, and MS do.

Its like someone freaking out at whitecastle over the dangers of fast food and the environmental impact of beef. You're not necessarily wrong... just your aim is so wierd.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: